HIPAA Security Rule approaches home stretch

December 3, 2004

"Didn't we just finish with HIPAA? How can there be more to do, and why do we have to do it anyway?" It had been a long physician board meeting, and the radiologists really didn't want to hear about more HIPAA deadlines. Just what does need to happen now with HIPAA, and why?

"Didn't we just finish with HIPAA? How can there be more to do, and why do we have to do it anyway?" It had been a long physician board meeting, and the radiologists really didn't want to hear about more HIPAA deadlines. Just what does need to happen now with HIPAA, and why?

The Health Insurance Portability and Accountability Act was designed to standardize electronic healthcare transactions and thus achieve administrative simplification and reduced costs. Healthcare entities requested these changes as they watched administrative costs associated with claims processing spiral upward, often at what appeared to be the whims of insurance companies, which modified claim formats and made them more complex. Failure to submit a "clean" claim resulted in payment delays, additional work, and, too often, failure to collect at all.

Congress agreed that healthcare administrative costs were out of control and passed HIPAA into law in 1996. Concerns about the security of patient healthcare information emerged during the process of standardizing electronic transactions, and regulations were developed to address the privacy of protected health information, the rights of patients in regard to their personal information, and implementation of appropriate security measures (Table 1). Due to the development and approval process of the transactions, privacy, and security elements, the implementation deadlines were staggered. This was probably a blessing for industry, as the mandated changes are substantial and time-consuming to develop. The Security Rule is the final element. It must be implemented by April 21, 2005.

SECURITY RULE EXPECTATIONS

To understand the scope of the regulations, it is important to know what is expected in security compliance. While the Privacy Rule applies to protected health information in any form, the Security Rule deals with electronic protected health information (EPHI), and the regulations state that healthcare entities are required to complete "the implementation of basic safeguards to protect EPHI from unauthorized access, alteration, deletion and transmission." They further mandate that EPHI must be protected during transmission and while at rest, so stored information must also be considered in compliance plan development.

An interesting development occurred between the proposed version of the security regulations and the final rule. To accommodate the different sizes and complexities of the healthcare organizations falling under the HIPAA guidelines, certain implementation specifications were designed to be "addressable," while others are required of all entities.

Radiology represents a sophisticated specialty in terms of its use of technology. Electronic claims submission has been a staple of billing operations for many years, as have electronic payments. With the proliferation of teleradiology, PACS, and remote access to images, the need for equally sophisticated security measures has often fallen behind in the drive to maximize technological advancements. While healthcare entities generally consider HIPAA an unwelcome burden, it actually provides excellent guidelines to ensure that medical electronic practices offer the same levels of protection required by other industries that handle sensitive personal information.

But what about practices that use an outside billing service or outsource IT functions? Do they still need to worry about HIPAA? Yes, but from the perspective of assuring that these entities have taken appropriate steps to meet the standards. If enforcement of Medicare fraud and abuse statutes illustrates how the government will view compliance with HIPAA regulations, a radiology practice will be held accountable in a "know or should have known" status for the compliance of outsourced business options. In other words, the group should know how compliance is accomplished by these supporting entities and should request a review of their HIPAA compliance plan documentation.

SCOPE OF SECURITY RULE

Three distinct categories must be addressed in order to reach compliance under the Security Rule (Table 2):

-Administrative controls cover the development of policies and procedures, provide a framework to define acceptable access and uses of EPHI, and establish expectations for personnel behavior. The administrative portion of the security rule is the most detailed and time-consuming portion of the HIPAA to-do list. While HIPAA has often been described as a "computer thing" that involves only firewalls, backups, and other technical solutions, the Security Rule is in fact primarily administrative in its scope, with an estimated 70% emphasis on this area.

-Physical safeguards must also be put in place to restrict unauthorized access to equipment and the buildings or areas housing that equipment. In addition, the physical safeguards should be designed to protect materials containing protected health information.

-Technical safeguards, representing controls applied to information systems, are required to protect hardware, software, and networks. The installation of firewalls, virus protection, and other safeguards falls under this area.

BUSINESS CONTINUITY PLANNING

One of the biggest challenges of the Security Rule involves the development of a disaster plan and emergency mode operations plan. This is a requirement, although the level of detail will vary with the size and complexity of the individual practice. Again, HIPAA defines its expectations in terms of the protection and restoration of EPHI. But failing to protect such areas as the practice's financial information, payroll records, physician licensing information, employment contracts, and other critical business documents and processes means that this exercise can either miss the mark (while still achieving compliance) or have far-reaching implications for business continuity.

A disaster or emergency is normally thought of in the context of natural disasters such as hurricanes, tornadoes, or floods. Radiology practices located in geographical areas where such activity is common are more likely to have an established foundation for business continuity, but it is important to remember other, more likely scenarios (Table 3).

In addition to the expectation that EPHI can be restored in its original format, contingency planning guidelines include policies and procedures for response to an emergency that damages systems containing EPHI. This includes data backup, disaster recovery, and emergency mode operations plans; testing and revision processes (addressable); and applications/data criticality analysis (addressable).

Reference documents for disaster/continuity planning include several publications from the National Institute of Standards and Technology, including NIST SP 800-30, Risk Management Guide for Information Technology Systems, and NIST SP 800-34, Contingency Planning Guide for Information Technology System (www.NIST.gov). Information is available as well from the Federal Emergency Management Agency at www.FEMA.gov.

The biggest problem in developing the business continuity plan is that most practice managers and/or physician leaders will stack this task on top of an already full schedule. Additionally, their knowledge base will probably not encompass critical issues related to disaster planning. Resources for disaster planning are not difficult to comprehend, but applying them to typical radiology operational processes is time-consuming.

POLICIES AND PROCEDURES

Required security policies and procedures reinforce the expectation that company and employee behaviors will support the security program. Sample policies and procedures listed in the HIPAA Security Rule include but are not limited to the following:

-security implementation process;

-authorizing access to EPHI;

-addressing security incidents;

-responding to an emergency;

-limiting physical access;

-defining appropriate workstation use;

-protection of EPHI from improper alteration or destruction;

-disposal of devices and media;

-sanction policy for failure to comply with policies and procedures;

-review of information system activity;

-authorization and/or supervision of the workforce;

-protection from malicious software;

-password management;

-processes to manage the reuse of storage media; and

-data backup and storage.

TRAINING

A review of likely security incidents reveals that system vulnerabilities are often exploited (from either inside or outside the organization) through employee ignorance. HIPAA therefore expects each covered entity to provide training, including initial awareness training and periodic reminders. As employees represent a common security risk (either through ignorance or malice), they must be informed of the practice's security policies as well as, for example, the following:

-virus and malicious software risks, especially when employees have been granted Internet access for processes such as insurance claims follow-up and/or researching unique physician identification numbers;

-password management, including the responsibility to protect passwords and change them when required, as well as the use of "strong" passwords;

-appropriate use of e-mail and the Internet;

-individual employee responsibilities in maintaining security levels;

-policies regarding restrictions on personal software, downloads, offsite use, and unauthorized disks (or similar media);

-workstation use, including approved activities and log-off requirements;

-building access restrictions;

-sanctions for failure to follow required procedures; and

-how to report a security incident and how incidents are followed up.

PHYSICAL SAFEGUARDS

Implementation of physical safeguards includes standards for controlling access to a facility, identifying appropriate functions for workstation use (and limiting access to those workstations), and controlling both devices and media used to process and store EPHI. Included are the following elements:

-policies and procedures to limit physical access to information systems and the facilities in which they are housed;

-contingency operations (addressable);

-development of a facility security plan (addressable);

-access control and validation procedures (addressable);

-documentation of maintenance records (addressable);

-policies and procedures that specify functions to be performed on each workstation and govern the physical location of those workstations;

-physical safeguards to restrict access to workstations;

-policies and procedures governing the disposal of devices and media containing PHI (required);

-policy regarding media reuse (required);

-assignment of accountability (addressable); and

-processes for data backup and storage (addressable).

Audits of data backup procedures in radiology groups and billing companies have found that backups were completed on a regular basis and to that degree met the HIPAA guidelines. However, they were sometimes stored in a staff member's house or car, where they could be subject to theft or destruction, especially if the employee were to become disgruntled. This reinforces the importance of reviewing the logic supporting existing policies and procedures as part of the compliance process.

TECHNICAL SAFEGUARDS

Because technical safeguards are often provided by information system and equipment vendors, this may be the easiest section in which to achieve compliance. Computer networks, especially those that have grown over the years, will likely pose the greatest risks; however, documentation of vendor safeguards should be part of plan development.

Standards in the technical safeguards section of the regulations include access controls, audit controls, and the security of electronic transmissions. Implementation specifications include:

-technical policies and procedures to limit access;

-unique user identification (required);

-development of an emergency access procedure (required);

-audit mechanisms to record and examine activity in systems using EPHI;

-implementation of technical security measures to guard against unauthorized access;

-integrity controls (addressable); and

-encryption (addressable).

TIMELINE

The compliance deadline for the HIPAA security rule is April 21, 2005, which portends an action-packed few months even if work is already under way. It will be important to assess in-house capabilities, determine the extent of work required based on the scope of the practice, and allot sufficient time to work through the details. It is likely that a practice would have developed several policies and procedures during implementation of the Privacy Rule that are applicable to the Security Rule, so a first step could involve reviewing what has already been done.

The risk of failure to comply is not necessarily one of regulatory penalties, but because security breaches are inevitable, business risks make compliance a priority. HIPAA establishes a defined business standard for all medical practices, the process to file a complaint is quick and efficient, and patients are becoming increasingly sophisticated about the risks and potential rewards of a violation.

While they represent a laborious and sometimes painful process, the steps taken to achieve HIPAA compliance elevate the stature of radiology as a leading-edge medical specialty.

Ms. Kroken is a principal in Healthcare Resource Providers in Albuquerque. She is a past president of the Radiology Business Management Association and a fellow in the American College of Medical Practice Executives.

Ms. Kroken has received honoraria from the RBMA and is a member of its speakers' bureau.